Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Lenovo Finally Patches Ancient BlueBorne Bugs in Tab and Yoga Tablets

Lenovo patches several popular tablet models to protect against BlueBorne vulnerabilities first identified in September 2017.

Nine months after researchers warned of the BlueBorne remote code execution bug, Lenovo said Thursday that a patch is finally available for three popular lines of its Android tablets.

Lenovo, the world’s No. 3 Android tablet-maker, said BlueBorne patches are now available for four Lenovo Tab models, 14 Tab Essential models and three Yoga Tab models. The company also identified a tenth tablet SKU, Lenovo TB-8504F, which it said was also vulnerable to BlueBorne bugs, but would not receive patches.

BlueBorne vulnerabilities are considered high severity flaws, according to the Lenovo’s writeup of the patches released on Thursday. A spokesperson for Lenovo said that this latest round of BlueBorne patches completed the company’s patching for the bugs.

“We were done with laptops a while ago and this wraps it up with the tablets,” a Lenovo spokesperson told Threatpost. The company said it was not typical for Lenovo to wait so long to issue a security patch. “There are a variety of reasons why certain models get patched when they do. We work as hard as we can to get things fixed as quick as we can regardless of the product.”

In Sept. 2017, IoT security firm Armis disclosed a host of BlueBorne vulnerabilities that threaten billions of devices from Android and Apple smartphones to millions of printers, smart TVs and IoT devices that use the Bluetooth protocol. The vulnerabilities could enable an attacker to take over devices, spread malware, or establish a man-in-the-middle position to gain access to critical data and networks without user interaction.

At the time, Armis estimated that there were 5.3 billion devices were at risk, with 2.1 billion of those being Android devices. Of those Android devices, researchers estimated 900,000 were capable of receiving an update.

“Our expectation was with within within 30 to 45 days of the announcement of BlueBorne — and the availability of patches — that the updates would have already been made,” said Nadir Izrael, CTO and cofounder of Armis, in an interview with Threatpost. “We coordinated with Google, Microsoft, Apple and many downstream partners on patches around the September disclosure period… Yes, we are surprised these tablets haven’t been patched already.”

Izrael also said he is very happy to see any company patching against a vulnerability at any point in time. “This highlights the problem that, in general, it’s still too hard for the industry to distribute patches in a timely manner,” he said.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.